ASSESSMENT: OSINT On NUCLEAR POWER SYSTEMS

NUCLEAR FACILITIES AND POWER GENERATION:

As a second assessment on my power generation and OSINT series I decided to take a look at the security around the nuclear reactors within the US. Currently there is a lot of talk around the grid and the cyber warfare around attacking our power systems but not so much about the nuclear end of that equation. In looking at the bigger picture though, the nuclear facilities should also be on the top of the list for these types of attacks and to assess just how much connectivity there may be to the internet. However, in my assessment I came across much more data surrounding information that not only could help an attacker in attempting to access systems but also data that could help in a successful attack against facilities physically.

Of course the threat assessment today for nuclear facilities per the government where Jihadist terrorism is concerned is that they are not interested in nuclear reactors because they would not be a spectacular event as attacks go. I think this is a stupid mindset or group-think mistake on the part of those who present it as fact. Terror is terror and though a meltdown or a significant release of radiation from a facility would not rival a 9/11 it could cause mass confusion and perhaps result in some deaths. Mostly though, an attack no matter the amount of casualties would so fear and perhaps garner attention that those seeking jihad would desire. In either case, the assessment here will show that perhaps there is data out there that should not be and that perhaps we all should pay a little more attention to what we place on the internet.

OSINT DATA FOUND:

Once again just by using Google searches a lot of ancillary data as well as reports could be found on the NRC site. Whether or not these files are meant to be available online is the question and in most cases perhaps the data is considered to be protected behind HTTPS and within databases that “shouldn’t” be able to be spidered and cached by Google. Some of the data found was in fact in public files that were not marked for security at all while yet still others had been marked FOUO or NOFORN. Some of those documents had in fact been declassified (struck through and enclosures stripped) so they do take pains in most cases to remove data that would be detrimental if it got out. However, there were many files that were available that gave a lot of data to a would be attacker.

Included in the finds online that could just be clicked and downloaded were:

After Action Reports AAR’s from FEMA and NRC together (table top exercises around nuclear accidents and terrorism drills) that contained remediation plans

Homeland Security evaluations of sites

Emails between NRC and companies running facilities

Emails between government bodies (DHS/NRC/DOE) on sites and systems

In fact there’s a lot of different data to look through and I am not an expert on nuclear facilities or reactors but I am pretty sure that data on their weaknesses and their plans could be of use to an attacker.

Where current and decomm’d reactors are in the US and how many reactors per

Potential weaknesses in systems

Electrical systems diagrams for power output and grid

Systems online and their settings

Maps of facilities

Blueprints of reactor facilities

Electrical diagrams of control systems

Electrical diagrams of air systems

ANALYSIS:

My analysis for this OSINT assessment is the following:

There is enough data out there to be of use to an attacker

The NRC and other government bodies are leaking data that perhaps should not be

In some cases in fact NOFORN data was available as well as FOUO online through Google searches

While most of the physical security testing (red team) data was unavailable online it is still possible to see where vulnerabilities lie with data found

During this assessment at least no direct data such as passwords to remote SCADA/ICS systems were found in ftp sites (WIN)

It is my suspicion though that with the amounts of emails available a concerted phishing campaign could work very well on the NRC and the companies that run these facilities so one hopes that their OPSEC and technical systems might stop them. Reactors may not be a high value target for the jihadi’s but they aren’t the only ones who would be interested in such vulnerabilities. Given too that there have been a few recent attacks physically on power systems this should be something that we all should care about. We should care about it more as well because these facilities are large producers of megawatts and if taken offline could cause some real problems for the nation or portions thereof.

Another thought that I had was of the concentration of the facilities in the eastern half of the country. A concerted attack to damage them or to cause radiological releases and SCRAM’s could cause large swaths of the country to be under threat of radiation fallout from releases in concert. Of course this would be a very big task and the likelihood is small but it could be something someone would try. With the data available from this sampling one could extrapolate that more searches and a campaign of hacking could gather much more intelligence on the targets. All of this though just points to the fact that there is data out there and that perhaps processes in it’s protection is failing in certain quarters.